onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 20:27:22 +01:00
Code Issues Releases Wiki Activity

fixes #1150

Browse Source 
"fwb_ipt should check AddressRange in TSrc against addresses of
interfaces".
This commit is contained in:
Vadim Kurland 2010-01-26 03:39:52 +00:00
parent ffea614ace
commit 1687a2efcb
5 changed files with 511 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2431
#define BUILD_NUM 2436

17
doc/ChangeLog
View File

@ -1,5 +1,22 @@
2010-01-25 vadim <vadim@vk.crocodile.org>
* NATCompiler_ipt.cpp (AssignInterface::processNext): fixes #1150
"fwb_ipt should check AddressRange in TSrc against addresses of
interfaces". Compiler for iptables finds interface that matches
AddressRange object used in Translated Source of a NAT rule and
uses it for the "-o intf" clause. Addresses of interface can match
the range excactly or partially. Exact match is when range
boundaries match the beginning and the end of the subnet defined
by the interface address and netmask. Partial match is when one of
the range boundaries belongs to the subnet but another one does
not. In this case compiler uses inetrface but issues a warning. If
interface has multiple ip addresses, all of them are taken into
consideration and interface is used if at least one matches. If
address range in TSrc is wide and matches subnets of several
interfaces, compiler splits the rule and uses all of them but does
not replace the range with narrower one and still issues a
warning.
* ProjectPanel.cpp (ProjectPanel::getDestDir): fixes #1149:
ProjectPanel::getDestDir should use userDataDir dir on all OS

80
src/iptlib/NATCompiler_ipt.cpp
View File

@ -50,6 +50,7 @@
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/DNSName.h"
#include "fwbuilder/ObjectMatcher.h"
#include "config.h"
@ -829,13 +830,16 @@ bool NATCompiler_ipt::addVirtualAddress::processNext()
else
a=compiler->getFirstODst(rule);
// TODO: should always issue the warning that adding virtual
// addresses for NAT is not supported with address ranges,
// regardless of the result of complexMatch()
if ( ! a->isAny() && ! compiler->complexMatch(a,compiler->fw) &&
options->getBool("manage_virtual_addr") )
{
if (AddressRange::cast(a)!=NULL)
{
compiler->warning(
rule,
string("Adding of virtual address for address range is not implemented (object ") +
a->getName() + ")" );
@ -2177,10 +2181,11 @@ bool NATCompiler_ipt::AssignInterface::processNext()
// Address *a=NULL;
// FWObject *ref;
list<FWObject*> all_interfaces = compiler->fw->getByTypeDeep(Interface::TYPENAME);
if (regular_interfaces.size()==0)
{
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
for (list<FWObject*>::iterator i=all_interfaces.begin(); i!=all_interfaces.end(); ++i)
{
Interface *iface=Interface::cast(*i);
assert(iface);
@ -2227,12 +2232,12 @@ bool NATCompiler_ipt::AssignInterface::processNext()
case NATRule::SNAT:
case NATRule::Masq:
{
Address* a = compiler->getFirstTSrc(rule);
Interface *iface = Interface::cast(a);
Address* tsrc = compiler->getFirstTSrc(rule);
Interface *iface = Interface::cast(tsrc);
if (IPv4::isA(a) || IPv6::isA(a))
if (IPv4::isA(tsrc) || IPv6::isA(tsrc))
{
iface = Interface::cast(a->getParent());
iface = Interface::cast(tsrc->getParent());
}
if (iface)
@ -2276,7 +2281,66 @@ bool NATCompiler_ipt::AssignInterface::processNext()
* has no interfaces at all. I wonder if I really have to do this,
* but I do it anyway.
*/
int n=0;
ObjectMatcher om_exact;
om_exact.setRecognizeBroadcasts(true);
om_exact.setRecognizeMulticasts(true);
om_exact.setIPV6(ipt_comp->ipv6);
om_exact.setMatchSubnets(true);
om_exact.setAddressRangeMatchMode(ObjectMatcher::EXACT);
ObjectMatcher om_partial;
om_partial.setRecognizeBroadcasts(true);
om_partial.setRecognizeMulticasts(true);
om_partial.setIPV6(ipt_comp->ipv6);
om_partial.setMatchSubnets(true);
om_partial.setAddressRangeMatchMode(ObjectMatcher::PARTIAL);
bool found_interface = false;
foreach(FWObject* i, all_interfaces)
{
Interface *iface = Interface::cast(i);
assert(iface);
if (iface->isLoopback() ||
iface->isUnnumbered() ||
iface->isBridgePort()
) continue;
if (om_partial.complexMatch(tsrc, iface))
{
found_interface = true;
NATRule *r = compiler->dbcopy->createNATRule();
r->duplicate(rule);
compiler->temp_ruleset->add(r);
r->setInterfaceId(iface->getId());
tmp_queue.push_back(r);
if (AddressRange::isA(tsrc) && !om_exact.complexMatch(tsrc, iface))
{
// We have only partial match of this address range and subnet
// defined by the interface
QString err(
"Object '%1' used in TSrc of the NAT rule defines "
"address range that only partially matches subnet "
"defined by the configuration of interface '%2'");
compiler->warning(
r,
err
.arg(tsrc->getName().c_str())
.arg(iface->getName().c_str()).toStdString());
}
}
// TODO: add check for non-aligned boundaries of the range
// defined by TSrc. Example: interface is configured as
// 33.33.33.33//255.255.255.248 (subnet 33.33.33.32 .. 47)
// but address range used in TSrc is 33.33.33.20 .. 35.
// Both define 15 addresses but boundaries are different.
}
if (found_interface) return true;
int n = 0;
foreach(QString intf_name, regular_interfaces)
{
NATRule *r = compiler->dbcopy->createNATRule();

17
src/res/help/en_US/release_notes_4.0.0.html
View File

@ -720,6 +720,23 @@ rule sets of this object rather than in the actual firewalls.
connlimit --connlimit-above" clauses for iptables.
</p>
<p>
Compiler for iptables finds interface that matches AddressRange
object used in Translated Source of a NAT rule and uses it for the
"-o intf" clause. Addresses of interface can match the range
excactly or partially. Exact match is when range boundaries match
the beginning and the end of the subnet defined by the interface
address and netmask. Partial match is when one of the range
boundaries belongs to the subnet but another one does not. In this
case compiler uses interface but issues a warning. If interface has
multiple ip addresses, all of them are taken into consideration and
interface is used if at least one matches. If address range in TSrc
is wide and matches subnets of several interfaces, compiler splits
the rule and uses all of them but does not replace the range with
narrower one and still issues a warning.
</p>
<a name="ipcop"></a>
<h2>Support for IPCOP</h2>

426
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1263954283" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1264468612" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
@ -1755,6 +1755,7 @@
</Interface>
<IPv4 id="id50186X27203" name="fw2:eth3:0" comment="" ro="False" address="22.22.23.23" netmask="255.255.255.0"/>
<IPv4 id="id50187X27203" name="fw2:eth3:1" comment="" ro="False" address="22.22.25.50" netmask="255.255.255.0"/>
<IPv4 id="id433944X83572" name="firewall2-5:eth2:ip-1" comment="" ro="False" address="192.168.2.40" netmask="255.255.255.0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -1797,6 +1798,7 @@
<IPv4 id="id45817X95438" name="h-192.168.171.2" comment="Imported from &quot;c3620&quot; 192.168.171.2/255.255.255.255" ro="False" address="192.168.171.2" netmask="255.255.255.255"/>
<IPv4 id="id45847X95438" name="h-10.3.14.201" comment="Imported from &quot;c3620&quot; 10.3.14.201/255.255.255.255" ro="False" address="10.3.14.201" netmask="255.255.255.255"/>
<IPv4 id="id46523X95438" name="a-192.168.1.10" comment="" ro="False" address="192.168.1.10" netmask="0.0.0.0"/>
<IPv4 id="id1971809X83572" name="fw2-5-eth1" comment="" ro="False" address="222.222.222.222" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -2179,8 +2181,8 @@
</HostOptions>
</Host>
<Host id="id3AFC191C" name="hostF-int" comment="the same address as internal iface of firewall1" ro="False">
<Interface id="id3AFC191C-i" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="unknown" comment="" ro="False">
<IPv4 id="id3AFC191C-i-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
<Interface id="id3AFC191C-i" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3AFC191C-i-ipv4" name="hostF-int:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.255"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
@ -2189,7 +2191,7 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="use_mac_addr_filter">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3DECF4EB" name="hostM-outside" comment="this host has multiple interfaces" ro="False">
@ -2703,6 +2705,7 @@
<NetworkIPv6 id="id169012X82687" name="3ffff:ffff::/16" comment="" ro="False" address="3fff:ffff::" netmask="16"/>
<Network id="id45876X95438" name="net-10.3.14.0/24" comment="Imported from &quot;c3620&quot; 10.3.14.0/255.255.255.0" ro="False" address="10.3.14.0" netmask="255.255.255.0"/>
<NetworkIPv6 id="id46155X95438" name="ipv6 net fe80::/64" comment="" ro="False" address="fe80::" netmask="64"/>
<Network id="id1380862X2261" name="net-33 24/255.255.255.248" comment="" ro="False" address="33.33.33.24" netmask="255.255.255.248"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
@ -2713,6 +2716,9 @@
<AddressRange id="id40D153ED" name="old broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
<AddressRange id="id4368AD8615884" name="ext_range" comment="" ro="False" start_address="22.22.22.100" end_address="22.22.22.110"/>
<AddressRange id="id42386X35957" name="r-192.168.1.0-include-fw" comment="this range includes address of the interface of firewall2" ro="False" start_address="192.168.1.1" end_address="192.168.1.100"/>
<AddressRange id="id504951X83572" name="range 33 1-3" comment="" ro="False" start_address="33.33.33.1" end_address="33.33.33.3"/>
<AddressRange id="id528432X83572" name="range 33 30-33" comment="" ro="False" start_address="33.33.33.30" end_address="33.33.33.33"/>
<AddressRange id="id528565X83572" name="range 33 1-33" comment="" ro="False" start_address="33.33.33.1" end_address="33.33.33.33"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services" comment="" ro="False">
@ -2946,7 +2952,7 @@
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1263949492" lastInstalled="1142003872" lastModified="1263579154" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1263949492" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -4891,7 +4897,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AF5AA0A" host_OS="linux24" inactive="False" lastCompiled="1251648630" lastInstalled="1142003872" lastModified="1230681629" platform="iptables" version="" name="firewall1" comment="this object is used to test all kinds of negation in policy and NAT rules" ro="False">
<Firewall id="id3AF5AA0A" host_OS="linux24" inactive="False" lastCompiled="1251648630" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall1" comment="this object is used to test all kinds of negation in policy and NAT rules" ro="False">
<NAT id="id3AF5AA0D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3C98491C" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -6354,7 +6360,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1251648690" lastInstalled="1142003872" lastModified="1259953340" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1251648690" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3AFB66C8" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -8236,7 +8242,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3B0226B6" host_OS="linux24" inactive="False" lastCompiled="1247364029" lastInstalled="1142003872" lastModified="1196093903" platform="iptables" version="" name="firewall3" comment="this object is used to test negation in policy rules with &quot;Assume firewall is part of 'Any'&quot; turned OFF" ro="False">
<Firewall id="id3B0226B6" host_OS="linux24" inactive="False" lastCompiled="1247364029" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall3" comment="this object is used to test negation in policy rules with &quot;Assume firewall is part of 'Any'&quot; turned OFF" ro="False">
<NAT id="id3B0226B7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3B0226B8" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -9693,7 +9699,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3B19BEE6" host_OS="linux24" inactive="False" lastCompiled="1247364158" lastInstalled="1142003872" lastModified="1263587776" platform="iptables" version="" name="firewall5" comment="testing firewall_is_part_of_any_and_networks. Also testing SNAT and DNAT rules when external interface has dynamic address.&#10;&#10;dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning.&#10;&#10;All &quot;configure interfaces&quot; options are off, testing shell functions for this case." ro="False">
<Firewall id="id3B19BEE6" host_OS="linux24" inactive="False" lastCompiled="1247364158" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall5" comment="testing firewall_is_part_of_any_and_networks. Also testing SNAT and DNAT rules when external interface has dynamic address.&#10;&#10;dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning.&#10;&#10;All &quot;configure interfaces&quot; options are off, testing shell functions for this case." ro="False">
<NAT id="id3B19BEE7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3CFD9EE2" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -15348,7 +15354,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3EFBC648" host_OS="linux24" lastCompiled="1247363964" lastInstalled="1142003872" lastModified="1257268597" platform="iptables" version="" name="firewall20" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" ro="False">
<Firewall id="id3EFBC648" host_OS="linux24" inactive="False" lastCompiled="1247363964" lastInstalled="1142003872" lastModified="1264474611" platform="iptables" version="" name="firewall20" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" ro="False">
<NAT id="id3EFBC649" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3EFBC64A" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -15874,15 +15880,15 @@
<RuleSetOptions/>
</Routing>
<Interface id="id3EFBC6F1" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp*" comment="" ro="False">
<IPv4 id="id3EFBC6F2" name="firewall5:ppp0(ip)" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<IPv4 id="id3EFBC6F2" name="firewall20:ppp*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3EFBC6FF" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3EFBC700" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<IPv4 id="id3EFBC700" name="firewall20:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id3EFBC702" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id3EFBC703" name="address" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<IPv4 id="id3EFBC703" name="firewall20:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.1">
@ -17526,7 +17532,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id417C680B" host_OS="linux24" inactive="False" lastCompiled="1247364001" lastInstalled="1142003872" lastModified="1227895423" platform="iptables" version="1.4.0" name="firewall25" comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore&#10;&#10;two rule sets for the filter table, to make sure there is only&#10;one COMMIT for both" ro="False">
<Firewall id="id417C680B" host_OS="linux24" inactive="False" lastCompiled="1247364001" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall25" comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore&#10;&#10;two rule sets for the filter table, to make sure there is only&#10;one COMMIT for both" ro="False">
<NAT id="id417C688D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id417C688E" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -18203,7 +18209,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id418C4609" host_OS="linux24" inactive="False" lastCompiled="1247364007" lastInstalled="1142003872" lastModified="1216410040" platform="iptables" version="1.4.0" name="firewall26" comment="this firewall uses iptables-restore format&#10;One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" ro="False">
<Firewall id="id418C4609" host_OS="linux24" inactive="False" lastCompiled="1247364007" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall26" comment="this firewall uses iptables-restore format&#10;One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" ro="False">
<NAT id="id418C468B" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id418C468C" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -18747,7 +18753,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4183D041" host_OS="linux24" inactive="False" lastCompiled="1247364014" lastInstalled="1142003872" lastModified="1216410045" platform="iptables" version="1.4.0" name="firewall27" comment="this firewall uses iptables-restore format&#10;all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" ro="False">
<Firewall id="id4183D041" host_OS="linux24" inactive="False" lastCompiled="1247364014" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall27" comment="this firewall uses iptables-restore format&#10;all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" ro="False">
<NAT id="id4183D0C3" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4183D0C4" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -31959,7 +31965,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id30191X26784" host_OS="linux24" inactive="False" lastCompiled="1247363969" lastInstalled="1142003872" lastModified="1230444087" platform="iptables" version="" name="firewall20-ipv6" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning.&#10;" ro="False">
<Firewall id="id30191X26784" host_OS="linux24" inactive="False" lastCompiled="1247363969" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="" name="firewall20-ipv6" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning.&#10;" ro="False">
<NAT id="id30432X26784" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<NATRule id="id30433X26784" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -32526,7 +32532,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id31158X1798" host_OS="linux24" inactive="False" lastCompiled="1215360886" lastInstalled="1142003872" lastModified="1240585393" platform="iptables" version="lt_1.2.6" name="firewall2-1" comment="copy of firewall2 but old iptables version" ro="False">
<Firewall id="id31158X1798" host_OS="linux24" inactive="False" lastCompiled="1215360886" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="lt_1.2.6" name="firewall2-1" comment="copy of firewall2 but old iptables version" ro="False">
<NAT id="id31415X1798" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id31416X1798" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -34343,7 +34349,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id32114X1798" host_OS="linux24" inactive="False" lastCompiled="1215360886" lastInstalled="1142003872" lastModified="1240585400" platform="iptables" version="1.4.0" name="firewall2-2" comment="another copy of firewall2 but new iptables version" ro="False">
<Firewall id="id32114X1798" host_OS="linux24" inactive="False" lastCompiled="1215360886" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall2-2" comment="another copy of firewall2 but new iptables version" ro="False">
<NAT id="id32371X1798" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id32372X1798" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -36160,7 +36166,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id35107X1833" host_OS="linux24" inactive="False" lastCompiled="1247363958" lastInstalled="1142003872" lastModified="1219171107" platform="iptables" version="ge_1.2.6" name="firewall2-3" comment="copy of firewall2, version &gt;= 1.2.6 " ro="False">
<Firewall id="id35107X1833" host_OS="linux24" inactive="False" lastCompiled="1247363958" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="ge_1.2.6" name="firewall2-3" comment="copy of firewall2, version &gt;= 1.2.6 " ro="False">
<NAT id="id35364X1833" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id35365X1833" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -43573,7 +43579,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id1080708X92250" host_OS="linux24" inactive="False" lastCompiled="1247615959" lastInstalled="0" lastModified="1247615928" platform="iptables" version="1.3.0" name="firewall72-1.3.x" comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" ro="False">
<Firewall id="id1080708X92250" host_OS="linux24" inactive="False" lastCompiled="1247615959" lastInstalled="0" lastModified="1264474374" platform="iptables" version="1.3.0" name="firewall72-1.3.x" comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" ro="False">
<NAT id="id1080739X92250" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id212991X8629" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="True">
@ -44124,7 +44130,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id170423X8629" host_OS="linux24" inactive="False" lastCompiled="1247615963" lastInstalled="0" lastModified="1247615946" platform="iptables" version="1.4.3" name="firewall72-1.4.3" comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" ro="False">
<Firewall id="id170423X8629" host_OS="linux24" inactive="False" lastCompiled="1247615963" lastInstalled="0" lastModified="1264474374" platform="iptables" version="1.4.3" name="firewall72-1.4.3" comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" ro="False">
<NAT id="id170610X8629" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id213111X8629" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="True">
@ -46462,6 +46468,382 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id433918X83572" host_OS="linux24" inactive="False" lastCompiled="1251648690" lastInstalled="1142003872" lastModified="1264468897" platform="iptables" version="" name="firewall2-5" comment="various tests for the &quot;-o itf&quot; clause in SNAT rules" ro="False">
<NAT id="id433965X83572" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id1261473X83572" disabled="False" position="0" action="Translate" comment="NETMAP and no -o itf">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3B665641"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id1072290X83572" disabled="False" position="1" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3DECF4EB"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id1971843X83572" disabled="False" group="" position="2" action="Translate" comment="&#9;">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id1971809X83572"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id2327300X83572" disabled="False" group="" position="3" action="Translate" comment="&#9;">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id433934X83572"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id481529X83572" disabled="False" position="4" action="Translate" comment="should be -o eth1">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id3CEBFF28"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id433966X83572" disabled="False" position="5" action="Translate" comment="should be -o eth2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id504951X83572"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id1380877X2261" disabled="False" group="" position="6" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id1380862X2261"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id528405X83572" disabled="False" group="" position="7" action="Translate" comment="partially matches eth3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id528432X83572"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id528530X83572" disabled="False" group="" position="8" action="Translate" comment="should be two rules: -o eth2 and -o eth3">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id528565X83572"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id51150X85535" disabled="False" group="" position="9" action="Translate" comment="should be -o eth2">
<OSrc neg="False">
<ObjectRef ref="net-Internal_net"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id433939X83572"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions>
<Option name="id"></Option>
</NATRuleOptions>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id433951X83572" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id433952X83572" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="id"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id434180X83572" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id433926X83572" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id433929X83572" name="firewall2-5:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id433931X83572" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id433934X83572" name="firewall2-5:eth1:ip" comment="" ro="False" address="222.222.222.222" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id433936X83572" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth3" comment="" ro="False">
<IPv4 id="id1379494X84720" name="firewall2-5:eth3:ip" comment="subnet 33.33.33.24-31" ro="False" address="33.33.33.25" netmask="255.255.255.248"/>
<InterfaceOptions/>
</Interface>
<Interface id="id433939X83572" dedicated_failover="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id433943X83572" name="firewall2-5:eth2:ip" comment="" ro="False" address="33.33.33.3" netmask="255.255.255.248"/>
<IPv4 id="id51114X85535" name="firewall2-5:eth2:ip-1" comment="" ro="False" address="33.33.33.4" netmask="255.255.255.248"/>
<InterfaceOptions/>
</Interface>
<Interface id="id433946X83572" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id433949X83572" name="firewall2-5:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">True</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">True</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="id"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix">/second</Option>
<Option name="limit_value">5</Option>
<Option name="linux24_accept_redirects">0</Option>
<Option name="linux24_accept_source_route">0</Option>
<Option name="linux24_icmp_echo_ignore_all">1</Option>
<Option name="linux24_icmp_echo_ignore_broadcasts"></Option>
<Option name="linux24_icmp_ignore_bogus_error_responses">1</Option>
<Option name="linux24_ip_dynaddr"></Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="linux24_log_martians">1</Option>
<Option name="linux24_path_ip"></Option>
<Option name="linux24_path_iptables"></Option>
<Option name="linux24_path_logger"></Option>
<Option name="linux24_path_lsmod"></Option>
<Option name="linux24_path_modprobe"></Option>
<Option name="linux24_rp_filter">1</Option>
<Option name="linux24_tcp_ecn"></Option>
<Option name="linux24_tcp_fack"></Option>
<Option name="linux24_tcp_fin_timeout">30</Option>
<Option name="linux24_tcp_keepalive_interval">1800</Option>
<Option name="linux24_tcp_sack"></Option>
<Option name="linux24_tcp_syncookies"></Option>
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">False</Option>
<Option name="local_nat">True</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">True</Option>
<Option name="log_invalid">True</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
<Option name="log_limit_value">0</Option>
<Option name="log_prefix">RULE %N - %A **</Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="no_optimisation">False</Option>
<Option name="output_file"></Option>
<Option name="platform">iptables</Option>
<Option name="prolog_place">after_flush</Option>
<Option name="prolog_script"></Option>
<Option name="proxy_arp">True</Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="useULOG">False</Option>
<Option name="use_ULOG">True</Option>
<Option name="use_ip_tool">True</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>